[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Question about non-board-member posts to the list

All,

Here is the technical sequence of events for how Tom Millar's message was archived.  I'd be very interested in knowing whether Board members believe the message should be removed from the archives.

1. As Steve Boyle already said, and just to re-emphasize, Tom has read-only access to the list.

2. Only Board members and certain MITRE personnel have the privileges to post to the list.

3. As already observed by Steve, Tom's message was directed toward both cve-id-change and the Board list.

4. Tom's message almost certainly was *not* delivered to the Board list due to his read-only privileges, which probably resulted in a bounce.  (If any Board member *did* receive such a message, please let us know.)

5. The message was (appropriately) delivered to cve-id-change because, as Steve already explained, we created it in order to receive input from everybody.

6. The account that is used to maintain the online Board archive is subscribed to both cve-editorial-board-list and cve-id-change.

7. Because cve-editorial-board-list was listed as a recipient, a program stored Tom's message in a Board-specific mail folder that is dedicated to public archival.

8. Typically, a manual verification step is performed to "clean up" stray messages that were actually rejected.  The manual review step did not happen in this case.

9. As a result, Tom's message was publicly archived.

For a previous example of the type of human error as described in item 8, see https://cve.mitre.org/data/board/archives/2013-04/msg00003.html

- Steve



> -----Original Message-----
> From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-
> editorial-board-list@lists.mitre.org] On Behalf Of Boyle, Stephen V.
> Sent: Wednesday, September 02, 2015 4:45 PM
> To: jericho <jericho@attrition.org>; cve-editorial-board-list <cve-editorial-
> board-list@lists.mitre.org>
> Cc: Boyle, Stephen V. <sboyle@mitre.org>
> Subject: RE: Question about non-board-member posts to the list
> 
> Hi Brian,
> 
> > Would Steve or MITRE please make it clear what happened here?
> 
> Sure, I'd be happy to. (I figured I'm "a" Steve if not "the" Steve, so close enough.)
> 
> Tom Millar is subscribed to the Editorial Board List as are other people who are
> not members of the Board. As you know, Tom, since he is part of the sponsoring
> organization, is not allowed to be on the Editorial Board. However, it has been
> longstanding practice for CVE to  offer read-only access to the Editorial Board
> list as a courtesy to certain people; in this case, to our sponsor. People who are
> not Board members can see what goes by, but they do not have posting
> privileges because they are not, well, Board members. That is another reason
> why we maintain the separate, private Editorial Board-only email list -- cve-
> private-eboard-list.
> 
> > Given that Mr. Millar replied within an hour to that post on a Thursday
> > night...
> 
> That's not at all unusual for Tom, or lots of us.
> 
> > ... when he would not have been included in the general distribution
> > list, it is fair to say that he was BCC'd.
> 
> Except that Tom was included in the general distribution list, as described above.
> Because Tom sees Board list messages that go by, he wouldn't need a BCC or
> other out-of-band notification of our request -- he saw it at the same time as
> other members of the Editorial Board list. So, Tom is on the list, was on the list,
> and was not BCC'd or otherwise given a preview of the email.
> 
> >  Further, that he was likely warned of the incoming post and encouraged to
> reply to it.
> 
> Except that Tom wasn't warned and he wasn't encouraged to reply. He read the
> post, presumably on the Board list, and responded to cve-id-change (as we
> requested) with his offer of help to publicize the change. More on this below.
> 
> > Given Steve's mail specifically asked
> > repliers to "contact cve-id-change@mitre.org if you wish to participate",
> > which is odd for an Editorial Board posting...
> 
> In the normal case, it would be odd to ask the Board to reply to another list.
> However, in the case of the exceptional, singular event that was the change to
> the CVE ID syntax, we asked people to respond to cve-id-change because we
> were asking for lots of participation from others, not just the Board, and using
> the cve-id-change list kept it all together. In addition, cve-id-change was an
> open list so anyone could post, making it even more handy for replies from non-
> Board members. The attendant Board message was a cut-and-paste of what we
> were sending out. We simply previewed it to the Board members, thereby asking
> them to reply to the same email address as everybody else.
> 
> > it is doubly odd that a random non-board member would be involved.
> 
> I hope I've sufficiently explained how that came about (above).
> 
> I understand your concerns, and I appreciate the fact that you raised them here,
> where they could be addressed. I invite and encourage you to continue to ask
> questions and look for answers, especially when things seem odd or otherwise
> squirrelly.
> 
> I 'll close by saying that I can't tell you anything more than what I know and what
> I remember, but I can personally assure you that MITRE has not and does not
> circumvent the Board, in any way, with any person or organization.
> 
> Best Regards,
> Steve Boyle
> CVE Project Leader
> 
> -----Original Message-----
> From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-
> editorial-board-list@lists.mitre.org] On Behalf Of jericho
> Sent: Wednesday, September 02, 2015 1:35 AM
> To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
> Subject: Question about non-board-member posts to the list
> Importance: High
> 
> https://cve.mitre.org/data/board/archives/2014-09/msg00000.html
> 
> To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
> Subject: Request to include Board members in a press release about CVE
> IDsyntax change
> From: "Christey, Steven M." <coley@mitre.org>
> Date: Thu, 4 Sep 2014 19:12:43 +0000
> 
> Steve posted to the editorial board list, for members of the editorial
> board and MITRE, asking about a press release.
> 
> There was a single reply to this post:
> 
> https://cve.mitre.org/data/board/archives/2014-09/msg00003.html
> 
> To: "'cve-id-change@mitre.org'"
> <cve-id-change@mitre.org>,"'cve-editorial-board-list@lists.mitre.org'"<cve-
> editorial-board-list@lists.mitre.org>
> Subject: Re: Request to include Board members in a press release about
> CVEID syntax change
> From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
> Date: Thu, 4 Sep 2014 20:18:36 +0000
> 
> Thomas Millar, from DHS, is not on the CVE editorial board per the
> membership list (by name or org):
> 
> https://cve.mitre.org/community/board/
> 
> Given that Mr. Millar replied within an hour to that post on a Thursady
> night, when he would not have been included in the general distribution
> list, it is fair to say that he was BCC'd. Further, that he was likely
> warned of the incoming post and encouraged to reply to it.
> 
> Would Steve or MITRE please make it clear what happened here? Why was Mr.
> Millar brought into this mail before hand, BCC'd on a mail to the list,
> and likely encouraged to reply? Given Steve's mail specifically asked
> repliers to "contact cve-id-change@mitre.org if you wish to participate",
> which is odd for an Editorial Board posting, it is doubly odd that a
> random non-board member would be involved.
> 
> Thanks,
> 
> .b
Page Last Updated or Reviewed: September 14, 2015